In the API environment, credentials get exposed through various means when pushed to public hub and leads to misuse of keys by the other users, if not protected adequately. So the developers need to regularly change the client-secrets that are used for the applications.

PayPal simplifies the credential rotation process with its self-service feature on the developer portal, where it provides greater flexibility to the developers in rotating credentials per their own schedule.

The new feature enables authentication for the applications using client-secret pair, similar to username-password combination. Here developers can generate new client-secret pairs whenever required and can disable and delete existing pairs if necessary.

Traditionally, developers cannot generate new credentials for their apps in a self-serve manner. With the addition of new feature, developers can have a single client secret pair which once created cannot be changed. To rotate credentials in production apps, developers are now provided with two client-secrets either enabled or disabled where a new client-secret can be added to an application and tested before the old one is disabled.

Self-serve credential management (SSCM) enables developers and API providers to manage the credentials efficiently delivering high rate application security. As credentials get exposed through various means in public hub, there might be a misuse of keys by the other users connected to that hub if left unprotected. SSCM paves the way to secure the API credentials by blocking its access in case of compromise and security concerns.

The best practices of client-secret rotation include: rotating client-secrets when credential custodians change; deleting the disabled client-secret pair after validating the applications with the new client-secret; disabling a “client-secret” immediately when suspected that credentials have been compromised as application will stop working until it is integrated with a new client-secret in “Enabled” status.

"Regularly updating the client-secret associated with your applications is a security best practice," said Gagan Maheshwari, Developer Platform Architect, PayPal . "We recommend that developers utilize the self-service client-secret rotation feature on the developer portal on a regular schedule for maximum application security."